I have a bit of a conundrum, regarding one of our email accounts. Long and the short of it is that the lady in question keeps receiving spam. From herself... And she is the only one, no one else has received anything in that line from her or anyone else.

I have checked her account and from what I can see, everything looks fine? No spam mails in her sent items folder, no signs of any suspicious activity, just the spam mail that gets sent to her from her own account.

I have no idea whats going on. So if anyone can point me in a direction of something to check i would appreciate it.

1. Are they the same spam or same type or emails ? did she subscribe to anything recently....likely non-official matters like adult sites or pirated software or "free downloads" etc

2. Does she use email clients like outlook or outlook express at home or via her mobile (it might be infected) ? One way to test is to add a contact via these machines and send a test email with local attachment to both the test account and someone else....see if the spam gets sent to these 2 persons.

3. if #2 fails or the above machines are not infected, it might be a spoof where someone else whom the user have sent emails to is infected. So that person's email client is sending email as someone else.

1. Are they the same spam or same type or emails ? did she subscribe to anything recently....likely non-official matters like adult sites or pirated software or "free downloads" etc

2. Does she use email clients like outlook or outlook express at home or via her mobile (it might be infected) ? One way to test is to add a contact via these machines and send a test email with local attachment to both the test account and someone else....see if the spam gets sent to these 2 persons.

3. if #2 fails or the above machines are not infected, it might be a spoof where someone else whom the user have sent emails to is infected. So that person's email client is sending email as someone else.

its all pretty much the same type of mail. Minor detail changes to them.

1. Are they the same spam or same type or emails ? did she subscribe to anything recently....likely non-official matters like adult sites or pirated software or "free downloads" etc

2. Does she use email clients like outlook or outlook express at home or via her mobile (it might be infected) ? One way to test is to add a contact via these machines and send a test email with local attachment to both the test account and someone else....see if the spam gets sent to these 2 persons.

3. if #2 fails or the above machines are not infected, it might be a spoof where someone else whom the user have sent emails to is infected. So that person's email client is sending email as someone else.

its all pretty much the same type of mail. Minor detail changes to them.

no, she only uses the work laptop for work mail correspondence.

i haven't seen an infection so far....

If its same type of email, then likely is that the email address was used at some weird websites where a "sister" site may be using it to spam or send advertisements etc.

+1 for looking at the headers. Not which email address is the message coming from, but what IP address is connecting in. Look for "X-Originating-IP" or "Received:" headers. If the user is really delivering these messages to herself, then the
"X-Originating-IP"
will be common with her other IPs. If it's originating somewhere else, then her email address is just "spoofed" not "compromised".

"Received:" headers are the same (and will almost always be in the headers on an email coming in from the outside). Received headers are backwards (most recent hop first, originating hop last). If it says "Received: from <some place outside your organization> by <your mail server>", then you know it's coming in from the outside. If it's coming in from the outside, then it can (should) be blocked by your ASAV service.

It's possible that this user is the only one receiving these messages, but more likely, everyone is getting similar messages, but this user has whitelisted something they shouldn't have. If they whitelisted your domain, their email address, etc., and nobody else has, then that explains why they are the only one receiving these emails.

To also +1 other posts, if it is coming in from an unauthorized location, SPF is most likely the correct answer. First you have to create the records, then you have to filter based on them in your threat protection service.